How to use Logstash forwarder in Docker containers (part II)

Introduction

Last week I wrote a post on how to create a Logstash Forwarder Docker image. But the exact explanation on how to use that was missing. So I decided to write another post to explain it in more details.

So, what I did was I created a Docker image from the same Docker file which is provided in previous post and also in my Github account. Now I’m going to use the same image to show you how you can setup and run your own forwarder. You can find the image in Docker Hub

Prerequisites

I assume that you already have setup a Logstash server. And you have access to its appropriate certificate. If you need more information on how to generate OpenSSL certs read this

Another important thing to consider is that you need to have to proper DNS record (or in /etc/hosts) to match that certificate for your Lostash server. Otherwise forwarder can’t establish a SSL connection.

And finally you need a forwarder configuration which should look like this:

{
# The network section covers network configuration :)
"network": {
# Down stream logstash server. You can change this to a fixed server
# or you can leave it as it is and provide server address with
# env vars to Docker run command. (this defaults to: logstash:5000)
"servers": [ "LOGSTASH_SERVER" ],
# The path to your trusted ssl CA file.
# You shouldn't change this path. Unless you change the
# actual filename.
"ssl ca": "/certs/logstash-forwarder.crt",
# Network timeout in seconds. This is most important for
# logstash-forwarder determining whether to stop waiting for an
# acknowledgement from the downstream server. If an timeout is reached,
# logstash-forwarder will assume the connection or server is bad and
# will connect to a server chosen at random from the servers list.
"timeout": 15
},
# The list of files configurations
# You should change this part to match your needs.
"files": [
# An array of hashes. Each hash tells what paths to watch and
# what fields to annotate on events from those paths.
{
"paths": [
# single paths are fine
"/var/log/messages",
# globs are fine too, they will be periodically evaluated
# to see if any new files match the wildcard.
"/var/log/*.log"
],
# A dictionary of fields to annotate on each event.
"fields": { "type": "syslog" }
}, {
# A path of "-" means stdin.
"paths": [ "-" ],
"fields": { "type": "stdin" }
}, {
"paths": [
"/var/log/apache/httpd-*.log"
],
"fields": { "type": "apache" }
}
]
}

This config is almost same copy of Logstash Forwarder sample. You can find it here

A few notes: You shouldn’t change certificate file path since it should be read from within docker container. And you’ll provide it when you mount a volume to your container.

Other thing is server address, you can provide $LOGSTASH_SERVER env var to Docker run but in that case you have to keep the server address as what I added in sample config.

And finally you have to save all those files (config + cert) in a directory structure like this. Hmmm, actually it’s not that important but if you have different directory structure then you have to change Docker run command to match yours.

Then just follow Docker stdout and make sure that it’s started properly. If anything goes wrong you can try to figure out the problem by reading logstash output log.

In this command I also mounted /var/log from host to Docker instance, so it’ll harvest /var/log/messages and /var/log/*.log files from host machines, you may need to change it too.

If everything goes well, you’ll see a message saying that it has connected to server and ready to send logs. Since in config file there is also stdin configured as an input to forwarder you could run docker instance with -i option and whatever you type in goes directly to Logstash server.